Posted
by
samzenpus
on Monday September 28, 2015 @04:15PM
from the protect-ya-neck dept.

An anonymous reader writes: A Spanish researcher claims to have uncovered a vulnerability in the security procedures of Google's AdSense program which would allow a third party to manipulate clicks on Google's syndicated ad service by 'de-cloaking' the obfuscated advertiser URLs that Google AdSense placements provide as links. He has also provided downloadable PHP files to show the exploit in action.

It's absolutely not. Look at Figure 1 of the PDF you linked. They show JavaScript code (that is clearly identified as such for someone who doesn't even know what it is), but call it Java code. They even go on to call JavaScript files Java files. These are two totally different things. I didn't bother reading any more, but I am sure this is consistently wrong throughout the paper.

Yeah, kind of a weird thing, right?
We have hack-a-day, hacker-space, life-hacker, all kinds of things where the MIT meaning of the word "hacker" has entered into the mainstream.
And yet the word "hacker" as a malicious attacker is also perfectly viable in mainstream.

Thus we have a word that is both extremely negative and fairly positive, and yet collisions are rare. People always seem to be able to figure out what is meant.

This is just another example of how security through obscurity will never work. At the end of the day the client browser ends up with a URL for the user to click on to view the ad. No amount of obfuscation or iframe shell games can change this fact. Game over.